diff --git a/server/routes/auth.js b/server/routes/auth.js
index 8d41aaa..c9c3efd 100644
--- a/server/routes/auth.js
+++ b/server/routes/auth.js
@@ -16,17 +16,19 @@ const loginLimiter = rateLimit({
 router.post('/login', loginLimiter, async (req, res) => {
   try {
     const { username, password } = req.body;
+    const trimmedUsername = username ? username.trim() : '';
+    const trimmedPassword = password ? password.trim() : '';
 
-    if (!username || !password) {
+    if (!trimmedUsername || !trimmedPassword) {
       return res.status(400).json({ success: false, message: '用户名和密码不能为空' });
     }
 
-    const user = await User.findOne({ username }).select('+password');
+    const user = await User.findOne({ username: trimmedUsername }).select('+password');
     if (!user || user.status !== 'active') {
       return res.status(401).json({ success: false, message: '用户名或密码错误' });
     }
 
-    const isMatch = await comparePassword(password, user.password);
+    const isMatch = await comparePassword(trimmedPassword, user.password);
     if (!isMatch) {
       return res.status(401).json({ success: false, message: '用户名或密码错误' });
     }
diff --git a/server/routes/riders.js b/server/routes/riders.js
index 5638731..93a6e08 100644
--- a/server/routes/riders.js
+++ b/server/routes/riders.js
@@ -22,15 +22,17 @@ const loginLimiter = rateLimit({
 router.post('/login', loginLimiter, validate(schemas.login), async (req, res) => {
   try {
     const { phone, password } = req.body;
+    const trimmedPhone = phone ? phone.trim() : '';
+    const trimmedPassword = password ? password.trim() : '';
 
     // 用 select(false) 主动拉取 password 字段
-    const rider = await Rider.findOne({ phone }).select('+password');
+    const rider = await Rider.findOne({ phone: trimmedPhone }).select('+password');
     if (!rider) {
       return res.status(401).json({ success: false, message: '手机号或密码错误' });
     }
 
     // bcrypt 比对密码
-    const isMatch = await comparePassword(password, rider.password);
+    const isMatch = await comparePassword(trimmedPassword, rider.password);
     if (!isMatch) {
       return res.status(401).json({ success: false, message: '手机号或密码错误' });
     }
diff --git a/server/routes/storeAuth.js b/server/routes/storeAuth.js
index 0885939..88a5bb6 100644
--- a/server/routes/storeAuth.js
+++ b/server/routes/storeAuth.js
@@ -17,12 +17,14 @@ const loginLimiter = rateLimit({
 router.post('/login', loginLimiter, async (req, res) => {
   try {
     const { username, password } = req.body;
-    if (!username || !password) {
+    const trimmedUsername = username ? username.trim() : '';
+    const trimmedPassword = password ? password.trim() : '';
+    if (!trimmedUsername || !trimmedPassword) {
       return res.status(400).json({ success: false, message: '用户名和密码不能为空' });
     }
 
     // 从 User 表查 store 类型账号
-    const user = await User.findOne({ username, type: 'store' }).select('+password');
+    const user = await User.findOne({ username: trimmedUsername, type: 'store' }).select('+password');
     // 查关联的门店
     const Store = require('../models/Store');
     const store = await Store.findOne({ storeId: user.storeId });
@@ -30,7 +32,7 @@ router.post('/login', loginLimiter, async (req, res) => {
       return res.status(401).json({ success: false, message: '用户名或密码错误' });
     }
 
-    const isMatch = await comparePassword(password, user.password);
+    const isMatch = await comparePassword(trimmedPassword, user.password);
     if (!isMatch) {
       return res.status(401).json({ success: false, message: '用户名或密码错误' });
     }